Skip to content

fix(ci): pin trivy-action to known-good SHA v0.35.0#1095

Merged
svetasmirnova merged 1 commit into3.xfrom
fix/pin-trivy-action-sha
Mar 24, 2026
Merged

fix(ci): pin trivy-action to known-good SHA v0.35.0#1095
svetasmirnova merged 1 commit into3.xfrom
fix/pin-trivy-action-sha

Conversation

@nogueiraanderson
Copy link
Contributor

@nogueiraanderson nogueiraanderson commented Mar 24, 2026

Summary

  • Pin aquasecurity/trivy-action to known-good SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0)
  • Current reference uses mutable tag @0.35.0 which is vulnerable to tag force-push attacks
  • Mitigates the aquasecurity/trivy-action supply chain compromise (ref: internal security review)
  • Affected workflow: toolkit.yml

@nogueiraanderson
fix(ci): pin trivy-action to known-good SHA v0.35.0
da812e2 
- Replace mutable tag reference with immutable SHA
- Mitigates aquasecurity/trivy-action supply chain compromise
@it-percona-cla
Copy link

it-percona-cla commented Mar 24, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@it-percona it-percona temporarily deployed to fix/pin-trivy-action-sha - percona-toolkit PR #1095 March 24, 2026 15:23 — with Render Destroyed
@svetasmirnova svetasmirnova merged commit cde9f7a into 3.x Mar 24, 2026
4 checks passed
@svetasmirnova svetasmirnova deleted the fix/pin-trivy-action-sha branch March 24, 2026 19:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@svetasmirnova svetasmirnova svetasmirnova approved these changes

@EvgeniyPatlan EvgeniyPatlan EvgeniyPatlan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nogueiraanderson @it-percona-cla @svetasmirnova @EvgeniyPatlan @it-percona